CVE-2025-62248

Description

A reflected cross-site scripting (XSS) vulnerability, resulting from a regression, has been identified in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 allows a remote, authenticated attacker to inject and execute JavaScript code via the _com_liferay_dynamic_data_mapping_web_portlet_DDMPortlet_definition parameter. The malicious payload is executed within the victim's browser when they access a URL that includes the crafted parameter.

How to fix CVE-2025-62248

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

• —no fix listed

Is CVE-2025-62248 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, <= 5.0.122

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-62248
• PATCHgithub.com/liferay/liferay-portal
• WEBgithub.com/liferay/liferay-portal/commit/a659c94bcfb218e5e5bb3e2cf7efa20a5abc10ed
• WEBliferay.atlassian.net/browse/LPE-18304